Most GitOps setups have a dirty secret: the ArgoCD API server is either exposed to the internet with a load balancer, or accessible only from inside the cluster via awkward port-forwarding. Neither is great for a team working remotely. Tailscale changes this completely.

The Problem With Default ArgoCD Exposure

A public LoadBalancer exposes the ArgoCD UI on a public IP that must be protected by VPN or IP allowlisting. An ingress with authentication works but requires maintaining an ingress controller and certificate rotation. Port-forwarding is secure but unusable for teams since you cannot share a port-forward across engineers. An internal LoadBalancer is only accessible from inside the VPC, meaning remote engineers need a traditional VPN.

What Tailscale Gives You

Tailscale creates an encrypted mesh network between your devices and your Kubernetes services. With the Tailscale Kubernetes operator, you can expose ArgoCD on your tailnet without any public IP, no ingress controller, and no VPN client configuration beyond Tailscale itself. ArgoCD is only reachable by devices on your tailnet with zero public exposure. Access is controlled via Tailscale ACLs per user, per tag, and per service. Every engineer installs Tailscale once and gets access to all internal services. MagicDNS lets you access ArgoCD at a human-readable hostname rather than an IP address.

Managing Tailscale ACLs via GitOps

Tailscale ACLs are a JSON file that can be stored in your Git repository. ArgoCD sync hooks can push ACL changes to the Tailscale API whenever the file changes. Your network access policy becomes code — reviewed in pull requests, version-controlled, and auditable. Store your Tailscale ACL JSON in Git, create an ArgoCD Application pointing at that path, add a PostSync hook that calls the Tailscale API with the updated ACL, and ACL changes go through a pull request reviewed and merged like any other infrastructure change.

Kustomize Overlays for Environment-Specific ACLs

Different environments need different ACL rules — production engineers may have broader access than staging. Kustomize overlays handle this cleanly with a base ACL containing shared rules across all environments, production overlays adding restrictions, and staging overlays providing broader developer access. This gives you environment-appropriate access control without duplicating your entire ACL configuration.

Access Control by Role

Tailscale ACL tags let you define access policies by role rather than by individual user. Platform engineers get access to ArgoCD, Prometheus, Grafana, and all internal services. Developers get access to staging ArgoCD and Grafana only. CI runners get access to the ArgoCD API for automated syncs with no UI access. Auditors and QSAs get read-only Tailscale access to the systems they need to review.

Security Benefits

There is no public attack surface for ArgoCD with nothing exposed to scan or exploit. Every access is device-authenticated combining Tailscale node key with user identity. ACL changes are fully auditable in Git with a complete history of who changed what and when. The setup works alongside your existing IdP since Tailscale supports SSO via Google, Okta, and others. Tailscale provides audit logs of all tailnet connections for compliance purposes.

Conclusion

Tailscale plus ArgoCD is one of those combinations that feels obviously right once you have used it. Your GitOps control plane becomes a private, access-controlled service that remote teams can use comfortably without the security compromise of a public endpoint. The bonus of managing Tailscale ACLs via ArgoCD itself is a satisfying piece of infrastructure self-reference: your network access control is version-controlled by the system it protects.